Solved: Configuring Site-to-Site VPN on two ASA5505

tsabsuavyaj · ‎07-23-2013

I have two ASA5505 ver 8.4(6) and ver 9.0(2) configured for a site-to-site vpn lab, but with no success. I could ping any outside address from both ASA's, but couldn't ping the LAN on the other end of the ASA. Below is the error message when trying to verify if the VPN tunnel is established. For reference, the configurations are provided below. Any help is much appreciated.

ASA1# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

ASA1# show crypto ipsec sa

There are no ipsec sas

ASA1:

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA1# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA1#

ASA1# ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA1# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.71, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

ASA1#

ASA2# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA2# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

!

ASA2# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.64, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms

ASA2#

zyang · ‎07-25-2013

If you are not seeing any debugs from the ASA, then there are no cryptographic negoiations of any kind.

The issue may be that you need to generate some interesting traffic to match the ACL. I'm not sure if you on a physical lab or on GNS3. If you are using a physical lab, attach a laptop to the inside interface and configure an IP in that subnet. You may need to do that to the other ASA. Then iniatiate a ping to the other network.

View solution in original post

zyang · ‎07-23-2013

If you ping the internal interface of the other ASA and you get nothing, check the SAs.

show crypto isa sa

If you see it as MM_Active, then the ipsec tunnel is up.

Try to ping something beyond the LAN interface. This would prove that the tunnel is up.

As for why you don't get a response, I believe that's a default action of the ASAs to not respond to pings from outside to an internal ASA interface. You can enable it I believe, however I don't recall the command for it.

tsabsuavyaj · ‎07-23-2013

sh crypto isa sa returned with the following message. Also, I cannot ping the switch on the other end of the ASA either. Any thoughts?

ASA1# sh crypto isa sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Marvin Rhoads · ‎07-23-2013

Both your ASAs' outside interfaces are set to get their addresses via DHCP. Your configurations above show the peer addresses as 100.100.100.1 and 200.200.200.1.

You need to use the actual address the remote end has on its outside interface in order to even attempt to establish a security association (SA).

tsabsuavyaj · ‎07-23-2013

Hi Marvin,

Thank you for your reply. For security purposes, the outside addresses have been replaced with

100.100.100.1 and 200.200.200.1 but on my ASAs the real ip addresses are used.

Many thanks

Lemon Lime · ‎07-23-2013

You're missing the object name in this line:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

It should read:

crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp-sha-hma

Also can you ping the outside interfaces of your appliances from each other? Are they behind any other firewalls or NAT devices?

tsabsuavyaj · ‎07-23-2013

Hi Simon,

Thank you for your reply. The crypto ipsec transform-set statement you provided is invalid. See error msg below. And yes I can ping the outside interfaces from the ASAs, results below. There are no other firewall before the ASAs. The ASA's are sitting just behind the ISP router.

ASA1(config)# crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp$

crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp-sha-hma

^

ERROR: % Invalid input detected at '^' marker.

ASA1(config)#

ASA1# ping 200.200.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:

!!!!!

ASA2# ping 100.100.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Lemon Lime · ‎07-23-2013

Ignore me, I'm talimg rubbish. I don't normally set my transform-set like that so it through me.

Let's go back to the beginning. Are the ASAs even trying to talk?

Run the debug commands:

debug crypto isakmp 7

debug crypto ipsec 7

Marvin Rhoads · ‎07-24-2013

I'm with Simon on this - your configs (to the extent you've shared them) appear to match up and should result in an IPsec VPN establishing and passing traffic.

Turn on the suggested debugs and then introduce interesting traffic. Analyze and share the resulting log output.

Jan Rolny · ‎07-24-2013

Hi,

just one note. When you are abel to ping remote asa so it does not necessarily mean thate there is not other device blocking IPSec traffic.

Regarding debug you can go this way, but you should at least see Phase1 in your logs on local or remote asa. Also you can see some reason why tunnel is not formed all without debug. I you don't see phase1 so probably crypto map does not match network what you are trying contact.

So question is:

when you try ping remote site, can you see that ASA is trying negotiate phase1 or phase2 in your logs?

Jan

Jan Rolny · ‎07-24-2013

I tried to reproduce your problem and found that in your config is missing this:

crypto ikev1 enable outside

You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or public interface. To enable IKEv1 or IKEv2, use the crypto ikev1 | ikev2 enable command from global configuration mode:

crypto ikev1 | ikev2 enable interface-name

For example:

hostname(config)# crypto ikev1 enable outside

Best regards,

Jan

Please rate if you consider that this post is helpful

tsabsuavyaj · ‎07-24-2013

Thanks for all the suggestions. I wiped the ASAs and started from factory default again just to avoid any misconfigurations. I also tested the outside and inside interfaces of each of the ASA by connecting a workstation to the inside interface of the ASAs and was able to surf the web just fine.

I then applied the site-to-site VPN configuration and sadly ended up with the same result as before, even after applying the command #crypto ikev1 enable outside. I'm not sure what else could be the issue here as Remote Access VPN was working just fine on one of my previous labs. Could it be the difference in IOS version? I have ASA1 running v8.4(6) and ASA2 running v9.0(2).

I also ran the debug commands as suggested by a poster above with no results returned. Perhaps the ASAs aren't even talking. Any other suggestions is much appreciated. Also if there are other site-to-site vpn configurations out there that I should try, please post it here. Many thanks for everyone's suggestions on this issue so far.

ASA1# sh crypto ipsec sa

There are no ipsec sas

ASA1# sh isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Marvin Rhoads · ‎07-24-2013

It occurs to me the examples you show above are testing from the ASAs themselves. Interesting traffic has to come into the ASA for a tunnel to form - not be sourced from it.

Try tracing a packet with the packet tracer. Use IP addresses not on either ASA for your source and destination. e.g.:

packet-tracer input inside icmp 192.168.1.2 0 0 192.168.2.2 detailed

Please post the results.

Jan Rolny · ‎07-25-2013

Marvin is right. Probably you are initiating or trying to ping remote end form your ASA.

Try it from your PC.

Also you should see at least some messages in your log. Have you logging enabled?

logging enable

logging buffered informational

and then you should see some logs.

zyang · ‎07-25-2013

If you are not seeing any debugs from the ASA, then there are no cryptographic negoiations of any kind.

The issue may be that you need to generate some interesting traffic to match the ACL. I'm not sure if you on a physical lab or on GNS3. If you are using a physical lab, attach a laptop to the inside interface and configure an IP in that subnet. You may need to do that to the other ASA. Then iniatiate a ping to the other network.